Hive Ransomware targets organizations with ProxyShell exploit

Threat Level – Amber | Vulnerability Report
Download PDF


For a detailed advisory, download the pdf file here

Hive Ransomware has been active since its discovery in June 2021, and it is constantly deploying different backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell (CVE-2021-31207,  CVE-2021-34473 and CVE-2021-34523) security flaws. The threat actors then conduct network reconnaissance, obtain admin account credentials, and exfiltrate valuable data before deploying the file-encrypting payload.

Hive and their affiliates access their victims’ networks by a variety of methods, including phishing emails with malicious attachments, compromised VPN passwords, and exploiting weaknesses on external-facing assets. Furthermore, Hive leaves a plain-text ransom letter threatening to disclose the victim’s data on the TOR website ‘HiveLeaks‘ if the victim does not meet the attacker’s terms.

The Organizations can mitigate the risk by following the recommendations: •Use multi-factor authentication. •Keep all operating systems and software up to date. •Remove unnecessary access to administrative shares. •Maintain offline backups of data and Ensure all backup data is encrypted and immutable. •Enable protected files in the Windows Operating System for critical files.

The MITRE ATT&CK TTPs used by Hive Ransomware are:

TA0001: Initial Access       TA0002: Execution       TA0003: Persistence       TA0004: Privilege Escalation       TA0005: Defense Evasion       TA0006: Credential Access       TA0007: Discovery       TA0008: Lateral Movement       TA0009: Collection       TA0011: Command and ControlTA0010: Exfiltration       TA0040: ImpactT1190: Exploit Public-Facing ApplicationT1566: PhishingT1566.001: Spear-phishing attachmentT1106: Native APIT1204: User ExecutionT1204.002: Malicious FileT1059: Command and Scripting InterpreterT1059.001: PowerShellT1059.003: Windows Command ShellT1053: Scheduled Task/JobT1053.005: Scheduled TaskT1047: Windows Management InstrumentT1136: Create AccountT1136.002: Domain AccountT1078: Valid AccountsT1078.002: Domain AccountsT1053: Boot or logon autostart executionT1068: Exploitation for Privilege EscalationT1140: Deobfuscate/Decode Files or InformationT1070: Indicator Removal on Host T1070.001: Clear Windows Event LogsT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1003: OS Credential DumpingT1003.005: Cached Domain Credentials|T1018: Remote System DiscoveryT1021: Remote ServicesT1021.001: Remote Desktop ProtocolT1021.002: SMB/Windows admin sharesT1021.006: Windows Remote ManagementT1083: File and directory discoveryT1057: Process discoveryT1063: Security software discoveryT1049: System Network Connections DiscoveryT1135: Network Share DiscoveryT1071: Application Layer ProtocolT1071.001: Web ProtocolsT1570: Lateral tool transfer1486: Data Encrypted for ImpactT1005: Data from local systemT1560: Archive Collected DataT1560.001: Archive via UtilityT1105: Ingress Tool TransferT1567: Exfiltration over web service

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)

Recent Breaches

Patch Links


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox